After trying for 3 weeks to make AWS WorkSpaces work for my company, I can still confidently say that Amazon doesn't get it. Their solutions are more "Go to Home Depot and get the parts to make a desk", whereas Google Apps is "go to Ikea". The two solutions are neighbors, but not everyone is ready to buy the individual boards and cut them down to size.
Your comparison is bang on, except that's the point. Amazon isn't trying to be Ikea. It is absolutely trying to provide the building blocks for small companies and large to use their cloud platform in a very foundational manner. Yes, the onboarding cost may be high, but Amazon doesn't mind if customers end up using Heroku or EngineYard instead - they are customers too.
AWS is a lot like Linux that way: Deeply challenging initial learning curve, but the only thing worth considering for serious mission critical architecture. Stability and scalability does come at the cost of user-friendliness.
As a follow-up, the General Manager of Amazon WorkSpaces reached out to me and asked for my feedback. This is one place where the Ikea-analogy holds true. Just like Home Depot, Amazon has workers that engage with their customers and know how to build; like Ikea, getting a Google employee's attention typically requires a plane ticket and a healthy dose of good luck...
If I'm building a company, I absolutely want Home Depot and not Ikea. If I'm building a weekend project, sure, Ikea is great.
And beyond that, I absolutely don't want to have to rely on Google's customer support or pricing/platform stability for anything that really matters to me, and my company's infrastructure really, really matters to me.
Agreed, while they have some excellent services
some other products lose the usability/practicality game . e.g: video transcoding service compared to zen coder, or cloud front service compared to cloud flare.
I tried AWS Zocalo (document store and collaboration) and it was close to feature-free. I have no idea why they released it in that state. I generally like AWS stuff, but Zocalo is a real turkey.
Everyone is talking KMS which is nice but I don't think that is the biggest selling point. Being able to say in which region your email is stored is huge for customers who don't want their data shipped all over the world.
"Another notable feature of WorkMail is that users can specify what Amazon region their e-mail is stored in. Customers can choose a specific, relatively close data center to reduce latency in retrieving e-mail or for compliance purposes—such as European privacy regulations. The feature means that users won’t get the benefit of failover to another data center in the event of an outage, but Amazon may offer mirroring services later."
That is a big differentiator for many companies right there.
> or for compliance purposes—such as European privacy regulations
That sounds nice, but Amazon is still a US company, and the US government seems pretty staunch in their view that US law trumps country-of-residence law.
This uses Amazon KMS. Amazon KMS is PC backed ("HSA"), which means all your mail is encrypted to a key which it now takes two Amazon employees acting under court order to get access to, rather than a court order and one employee.
Google's internal controls are at least this robust, and they have similar key management systems internally.
There might be a reason to buy Amazon WorkMail, but it's not for security advantages over Gmail.
1) Where does this use Key Management Service to encrypt? At the SMTPD? With keys unique to each end user? S/MIME? What?
2) What's the real security model of KMS? Is it using HSMs for keys, or just shipping keys to systems? Does it use any other hardware/platform security features to protect keys, or just basically a "soft HSM" running in Dom0 on each machine? Or something purely network based, and also done in software only?
Scatter gun + Lean Startup principles. Not entirely wrong, though wish some more initial refinement was included, but if the brand doesn't take a hit then fair enough.
I think the biggest distinguishing feature of this is being able to have it encrypt emails with customer provided keys stored on their Key Management Service. This hypothetically should prevent three letter agencies from accessing emails, but I'm not sure that is the top feature on everyone's mind when they are looking to set up email for their company. It definitely piques my interest though.
That is, assuming the mail is stored on the server and it's encrypted, how do you search it efficiently?
It does not seem efficient to download every byte of mail, decrypt it, and search it on your local machine (especially a phone). Perhaps you could build an index locally, but could you keep it updated? And even that requires downloading and reading every byte at least once.
This is something I've always wondered about encrypting hosted email.
I've been a user of Rackspace E-mail. It's one of the last services I still have with Rackspace and it's been a good platform for my company. I can't tell you the last time I had an issue. Looks like this is on the road to making Rackspace irrelevant on yet another level.
Racker here responsible for our mail services. Thanks for the positive feedback and for being a customer. Curious why you say this would make our offering irrelevant?
I'm actually not too surprised. It seems like Amazon feels like they have to have every online service possible, however, some of their services could be better if they focused on fewer.
To qualify any hosted mail service to handle valuable, confidential data seems difficult. For example:
What are the confidentiality provisions? Can they be changed without your consent? Does Amazon possess cleartext data and metadata? Do they monitor it to collect customer data? Who at Amazon can access it and when? What is their retention policy? Is non-retained data destroyed or just left on the storage medium until overwritten? How will they respond to subpoenas, warrants, and similar requests from counterparties in lawsuits or from government? And perhaps most importantly, how able are they to execute their policies and what deters Amazon from violating them (i.e., what is the penalty?)?
Is there any service that satisfies these requirements?
1) a shared consumer service (i.e. a bunch of gmail accounts in the public namespace)
2) some kind of dedicated-instance-within app service (which seems to be how google apps for your domain works)
3) container/vm based isolation of app service (i.e. a provider who runs dedicated VMs of their own or standard platforms for people...I think some of the hosted exchange options are like this)
4) dedicated servers but with provider retaining root, but a third party or your own staff doing app administration on mail server
5) #4 but without root for provider, but with normal machines and thus singleuser
6) #4/5 with encrypted disk, such that it would be trickier
7) Colo vs. dedicated servers, with full crypto.
8) On-premise
I personally think the correct option for most organizations for mail is absolute-minimum 3, maybe 4. I feel uncomfortable less than 6. For someone like wikileaks, you are abjectly incompetent other than 7 or 8, at least using commodity technology today.
To run a "real" company, of let's say, 200 people or more, dealing with mildly sensitive data, you need Microsoft[1][2][3][4]. You need Microsoft because you need:
* Calendaring that Just Works, and a capable client for it. This involves an Exchange server and MS Office;
* You need mail that Just Works, and Just Works in conjunction with the above calendaring; this involves an Exchange server and MS Office;
* You need an easily controllable and relatively cheap OS that can run Word, Excel, and a web-browser for non-technical staff, and can be run on cheap-ass Dell boxes; currently this involves Windows and MS Office;
* You need a shared fileserver for people to upload company party photos to, storing improperly protected financial spreadsheets, and so on;
* You need a central identity system to tie the whole shebang together; this involves Active Directory
To summarise, you need:
* ActiveDirectory, for which there is now Amazon WorkMail
* Exchange, for which there is now Amazon WorkMail
* Windows File Sharing, for which there is now Amazon WorkDocs
* Windows desktops that can run MS Office ... for which there is sort of Amazon WorkSpaces
The question now becomes: can I get away with running a 200-person company with no relationship with MS by deploying cheap-cheap Linux machines with a VNC-client to Amazon WorkSpaces for non-technical staff? And the answer is ... perhaps, but I need my people to be able to work without an internet connection, so probably not.
But still, that's fucking huge.
The one piece missing in this lineup is capable local Office apps. You simply cannot get away with not having Excel, Word, and Outlook's Calendar functionality ... yet. Finance, Admin, Management, and non-dev IT will riot without Excel; Admin, Sales, and Management will riot without Word; Sales and Management will riot without Outlook, and blood will be spilled over the management of more than two meeting rooms. OpenOffice, LibreOffice, whatever, they don't cut it in the real world.
So while it doesn't sound like their game, if Amazon were to release a lock-down-able Linux and some high-quality Office apps, they can take SME IT away from Microsoft. That's is HUGE. Hell, if they can put together a package that can run Office under WINE reliably, and sort sensible licensing terms, it's just as huge, but I can't see MS allowing that licensing part to happen, because it would be suicide.
Interesting times!
[1] I don't care how Canonical or RedHat manage their internal IT
[2] Nor do I care about how your 11 person social media startup does it
[3] I too did all my best IT management before I became responsible for it
OpenOffice is not good enough but you still think Amazon can release something better just like that? Oo shows how hard the problem is, even if you have decades of experience. Amazon has almost no experience with huge desktop applications, they can't possibly release something that can seriously compete with MS Office.
> This involves an Exchange server and MS Office;
Pretty sure you must be joking. We 1000+ real company have zero exchange. Google apps. People sure love to run MS products on their Macs though. Puzzler that. I'll stick to google docs when I have to and alternatives when I have a choice.
Can't remember the last MS Word/Excel/Powerpoint document I've ever created. You could not pay me to run Exchange.
Why irony? You can use Outlook as a client for WorkMail. I wouldn't be surprised if they shift to WorkMail once it satisfies their large enterprise requirements (given that it's an MVP right now).
Probably because HN doesnt want people accidentally linking to Google's tracking search results by accident, although HN should really wrap paywalled articles by default, or at least have a policy on what is allowed. Im sure more than 90% cant actually see anything without messing around with referral links.
This to me just emphasizes the need for services like Nilas' email APIs. I don't want to have to worry about integrating with yet another email provider.
That being said, I trust Amazon's data centers and API stack far more then Microsoft alone.
Email can go better than APIs - it has publicly available protocols and there are many implementations of them (including many good FOSS implementations). They are called IMAP and SMTP! Any email client can integrate with any email server, and has been able to since the beginning of email
[+] [-] ecaron|11 years ago|reply
[+] [-] npinguy|11 years ago|reply
AWS is a lot like Linux that way: Deeply challenging initial learning curve, but the only thing worth considering for serious mission critical architecture. Stability and scalability does come at the cost of user-friendliness.
[+] [-] ecaron|11 years ago|reply
AWS, I still <3 you.
[+] [-] ericd|11 years ago|reply
And beyond that, I absolutely don't want to have to rely on Google's customer support or pricing/platform stability for anything that really matters to me, and my company's infrastructure really, really matters to me.
[+] [-] level09|11 years ago|reply
[+] [-] scuba7183|11 years ago|reply
[+] [-] vacri|11 years ago|reply
[+] [-] nullrouted|11 years ago|reply
http://arstechnica.com/information-technology/2015/01/amazon...
"Another notable feature of WorkMail is that users can specify what Amazon region their e-mail is stored in. Customers can choose a specific, relatively close data center to reduce latency in retrieving e-mail or for compliance purposes—such as European privacy regulations. The feature means that users won’t get the benefit of failover to another data center in the event of an outage, but Amazon may offer mirroring services later."
That is a big differentiator for many companies right there.
[+] [-] rodgerd|11 years ago|reply
That sounds nice, but Amazon is still a US company, and the US government seems pretty staunch in their view that US law trumps country-of-residence law.
[+] [-] efiftythree|11 years ago|reply
Addressing Office 365 Customer Concerns about Data Geo-Redundancy and Location - http://blogs.technet.com/b/uspartner_ts2team/archive/2013/06...
Where is my data? - http://www.microsoft.com/online/legal/v2/en-us/MOS_PTC_Geo_B...
[+] [-] rdl|11 years ago|reply
This uses Amazon KMS. Amazon KMS is PC backed ("HSA"), which means all your mail is encrypted to a key which it now takes two Amazon employees acting under court order to get access to, rather than a court order and one employee.
Google's internal controls are at least this robust, and they have similar key management systems internally.
There might be a reason to buy Amazon WorkMail, but it's not for security advantages over Gmail.
[+] [-] _almosnow|11 years ago|reply
[+] [-] blueskin_|11 years ago|reply
[+] [-] rdl|11 years ago|reply
1) Where does this use Key Management Service to encrypt? At the SMTPD? With keys unique to each end user? S/MIME? What?
2) What's the real security model of KMS? Is it using HSMs for keys, or just shipping keys to systems? Does it use any other hardware/platform security features to protect keys, or just basically a "soft HSM" running in Dom0 on each machine? Or something purely network based, and also done in software only?
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] __Joker|11 years ago|reply
[+] [-] flurdy|11 years ago|reply
[+] [-] jcreedon|11 years ago|reply
[+] [-] hackuser|11 years ago|reply
EDIT:
That is, assuming the mail is stored on the server and it's encrypted, how do you search it efficiently?
It does not seem efficient to download every byte of mail, decrypt it, and search it on your local machine (especially a phone). Perhaps you could build an index locally, but could you keep it updated? And even that requires downloading and reading every byte at least once.
This is something I've always wondered about encrypting hosted email.
[+] [-] beagle3|11 years ago|reply
You can go under the radar when you are LavaBit small (and then, only until you have a single high-profile user). But not when you are Amazon.
[+] [-] higherpurpose|11 years ago|reply
[+] [-] calpaterson|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] burtr85|11 years ago|reply
[+] [-] bretpiatt|11 years ago|reply
[+] [-] flowerpot|11 years ago|reply
[+] [-] _almosnow|11 years ago|reply
[+] [-] hackuser|11 years ago|reply
What are the confidentiality provisions? Can they be changed without your consent? Does Amazon possess cleartext data and metadata? Do they monitor it to collect customer data? Who at Amazon can access it and when? What is their retention policy? Is non-retained data destroyed or just left on the storage medium until overwritten? How will they respond to subpoenas, warrants, and similar requests from counterparties in lawsuits or from government? And perhaps most importantly, how able are they to execute their policies and what deters Amazon from violating them (i.e., what is the penalty?)?
Is there any service that satisfies these requirements?
[+] [-] rdl|11 years ago|reply
1) a shared consumer service (i.e. a bunch of gmail accounts in the public namespace)
2) some kind of dedicated-instance-within app service (which seems to be how google apps for your domain works)
3) container/vm based isolation of app service (i.e. a provider who runs dedicated VMs of their own or standard platforms for people...I think some of the hosted exchange options are like this)
4) dedicated servers but with provider retaining root, but a third party or your own staff doing app administration on mail server
5) #4 but without root for provider, but with normal machines and thus singleuser
6) #4/5 with encrypted disk, such that it would be trickier
7) Colo vs. dedicated servers, with full crypto.
8) On-premise
I personally think the correct option for most organizations for mail is absolute-minimum 3, maybe 4. I feel uncomfortable less than 6. For someone like wikileaks, you are abjectly incompetent other than 7 or 8, at least using commodity technology today.
[+] [-] hellbanner|11 years ago|reply
[+] [-] dflock|11 years ago|reply
[+] [-] efiftythree|11 years ago|reply
[+] [-] ghobs91|11 years ago|reply
[+] [-] KeepTalking|11 years ago|reply
What sort of protection do they offer for phishing , spam and AV ?
Do they offer integration with other security , DLP suits ?
[+] [-] peteretep|11 years ago|reply
* Calendaring that Just Works, and a capable client for it. This involves an Exchange server and MS Office;
* You need mail that Just Works, and Just Works in conjunction with the above calendaring; this involves an Exchange server and MS Office;
* You need an easily controllable and relatively cheap OS that can run Word, Excel, and a web-browser for non-technical staff, and can be run on cheap-ass Dell boxes; currently this involves Windows and MS Office;
* You need a shared fileserver for people to upload company party photos to, storing improperly protected financial spreadsheets, and so on;
* You need a central identity system to tie the whole shebang together; this involves Active Directory
To summarise, you need:
* ActiveDirectory, for which there is now Amazon WorkMail
* Exchange, for which there is now Amazon WorkMail
* Windows File Sharing, for which there is now Amazon WorkDocs
* Windows desktops that can run MS Office ... for which there is sort of Amazon WorkSpaces
The question now becomes: can I get away with running a 200-person company with no relationship with MS by deploying cheap-cheap Linux machines with a VNC-client to Amazon WorkSpaces for non-technical staff? And the answer is ... perhaps, but I need my people to be able to work without an internet connection, so probably not.
But still, that's fucking huge.
The one piece missing in this lineup is capable local Office apps. You simply cannot get away with not having Excel, Word, and Outlook's Calendar functionality ... yet. Finance, Admin, Management, and non-dev IT will riot without Excel; Admin, Sales, and Management will riot without Word; Sales and Management will riot without Outlook, and blood will be spilled over the management of more than two meeting rooms. OpenOffice, LibreOffice, whatever, they don't cut it in the real world.
So while it doesn't sound like their game, if Amazon were to release a lock-down-able Linux and some high-quality Office apps, they can take SME IT away from Microsoft. That's is HUGE. Hell, if they can put together a package that can run Office under WINE reliably, and sort sensible licensing terms, it's just as huge, but I can't see MS allowing that licensing part to happen, because it would be suicide.
Interesting times!
[1] I don't care how Canonical or RedHat manage their internal IT
[2] Nor do I care about how your 11 person social media startup does it
[3] I too did all my best IT management before I became responsible for it
[4] Seriously.
[+] [-] quonn|11 years ago|reply
[+] [-] dmourati|11 years ago|reply
Can't remember the last MS Word/Excel/Powerpoint document I've ever created. You could not pay me to run Exchange.
[+] [-] ts330|11 years ago|reply
[+] [-] ukigumo|11 years ago|reply
[+] [-] mathattack|11 years ago|reply
[+] [-] chatman|11 years ago|reply
[+] [-] jdub|11 years ago|reply
[+] [-] known|11 years ago|reply
[+] [-] cryptoz|11 years ago|reply
I tried to submit that to HN, but it didn't seem to work.
[+] [-] dang|11 years ago|reply
[+] [-] delsalk|11 years ago|reply
[+] [-] riledhel|11 years ago|reply
[+] [-] pwenzel|11 years ago|reply
[+] [-] e0m|11 years ago|reply
That being said, I trust Amazon's data centers and API stack far more then Microsoft alone.
[+] [-] calpaterson|11 years ago|reply